<?php

namespace app\middleware;

use \yifang\middleware\Middleware_contract;

class Security_csp implements Middleware_contract
{
    /**
     *  处理请求
     */
    public function handle($request, \Closure $next)
    {
        //安全头设置
        $headers=array();
        // $headers[]="Content-Security-Policy:default-src 'self' 'unsafe-inline'; frame-src  https: http:;";
        // $headers[]="X-Content-Security-Policy:default-src 'self' 'unsafe-inline'; frame-src  https: http:;";
        $headers[]="X-Frame-Options:\"SAMEORIGIN\" always";
        $headers[]="X-Content-Type-Options:\"nosniff\" always";
        $headers[]="Referrer-Policy:strict-origin-when-cross-origin";
        $headers[]="Permissions-Policy:geolocation=(self), microphone=(), camera=()";
        $headers[]="Strict-Transport-Security:\"max-age=2592000; includeSubdomains\" always";
        $headers[]="X-Xss-Protection:\"1; mode=block\" always";
        $headers[]="X-Permitted-Cross-Domain-Policies:\"master-only\" always";
        $headers[]="X-Download-Options:\"noopen\" always";
        foreach($headers as $header){
            header($header);
        }
        $response=$next($request);
        return $response;
    }
}


